diff --git a/gd-CVE-2016-5116.patch b/gd-CVE-2016-5116.patch deleted file mode 100644 index 591a060..0000000 --- a/gd-CVE-2016-5116.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger -Date: Sat, 14 May 2016 01:38:18 -0400 -Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211 - -We use the name passed in to printf into a local stack buffer which is -limited to 4000 bytes. So given a large enough value, lots of stack -data is leaked. Rewrite the code to do simple memory copies with most -of the strings to avoid that issue, and only use stack buffer for small -numbers of constant size. - -This closes #211. ---- - src/gd_xbm.c | 34 +++++++++++++++++++++++++++------- - 1 file changed, 27 insertions(+), 7 deletions(-) - -diff --git a/src/gd_xbm.c b/src/gd_xbm.c -index 74d839b..d28fdfc 100644 ---- a/src/gd_xbm.c -+++ b/src/gd_xbm.c -@@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd) - /* {{{ gdCtxPrintf */ - static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) - { -- char buf[4096]; -+ char buf[1024]; - int len; - va_list args; - -@@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) - } - /* }}} */ - -+/* The compiler will optimize strlen(constant) to a constant number. */ -+#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s)) -+ - /* {{{ gdImageXbmCtx */ - BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out) - { -@@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC - } - } - -- gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image)); -- gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image)); -- gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name); -+ /* Since "name" comes from the user, run it through a direct puts. -+ * Trying to printf it into a local buffer means we'd need a large -+ * or dynamic buffer to hold it all. */ -+ -+ /* #define _width 1234 */ -+ gdCtxPuts(out, "#define "); -+ gdCtxPuts(out, name); -+ gdCtxPuts(out, "_width "); -+ gdCtxPrintf(out, "%d\n", gdImageSX(image)); -+ -+ /* #define _height 1234 */ -+ gdCtxPuts(out, "#define "); -+ gdCtxPuts(out, name); -+ gdCtxPuts(out, "_height "); -+ gdCtxPrintf(out, "%d\n", gdImageSY(image)); -+ -+ /* static unsigned char _bits[] = {\n */ -+ gdCtxPuts(out, "static unsigned char "); -+ gdCtxPuts(out, name); -+ gdCtxPuts(out, "_bits[] = {\n "); - - free(name); - -@@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC - if ((b == 128) || (x == sx && y == sy)) { - b = 1; - if (p) { -- gdCtxPrintf(out, ", "); -+ gdCtxPuts(out, ", "); - if (!(p%12)) { -- gdCtxPrintf(out, "\n "); -+ gdCtxPuts(out, "\n "); - p = 12; - } - } -@@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC - } - } - } -- gdCtxPrintf(out, "};\n"); -+ gdCtxPuts(out, "};\n"); - } - /* }}} */ - diff --git a/gd-CVE-2016-6132.patch b/gd-CVE-2016-6132.patch deleted file mode 100644 index 038a8d2..0000000 --- a/gd-CVE-2016-6132.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Tue, 12 Jul 2016 11:24:09 +0200 -Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA - files - ---- - src/gd_tga.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/gd_tga.c b/src/gd_tga.c -index ef20f86..07f3c86 100644 ---- a/src/gd_tga.c -+++ b/src/gd_tga.c -@@ -237,7 +237,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) - return -1; - } - -- gdGetBuf(conversion_buffer, image_block_size, ctx); -+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { -+ gdFree(conversion_buffer); -+ return -1; -+ } - - while (buffer_caret < image_block_size) { - tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret]; -@@ -261,7 +264,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) - return -1; - } - -- gdGetBuf( conversion_buffer, image_block_size, ctx ); -+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { -+ gdFree(conversion_buffer); -+ gdFree(decompression_buffer); -+ return -1; -+ } - - buffer_caret = 0; - - diff --git a/gd-CVE-2016-6214.patch b/gd-CVE-2016-6214.patch deleted file mode 100644 index 78c0ee2..0000000 --- a/gd-CVE-2016-6214.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 10ef1dca63d62433fda13309b4a228782db823f7 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Tue, 12 Jul 2016 19:23:13 +0200 -Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error - gracefully - -Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are -really supported. All other combinations will be rejected with a warning. ---- - src/gd_tga.c | 16 ++++++---------- - tests/tga/.gitignore | 1 + - tests/tga/CMakeLists.txt | 1 + - tests/tga/Makemodule.am | 4 +++- - tests/tga/bug00247a.c | 19 +++++++++++++++++++ - tests/tga/bug00247a.tga | Bin 0 -> 36 bytes - 6 files changed, 30 insertions(+), 11 deletions(-) - create mode 100644 tests/tga/bug00247a.c - create mode 100644 tests/tga/bug00247a.tga - -diff --git a/src/gd_tga.c b/src/gd_tga.c -index 20fe2d2..b4f8fa6 100644 ---- a/src/gd_tga.c -+++ b/src/gd_tga.c -@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx) - if (tga->bits == TGA_BPP_24) { - *tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]); - bitmap_caret += 3; -- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) { -+ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) { - register int a = tga->bitmap[bitmap_caret + 3]; - - *tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1)); -@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga) - printf("wxh: %i %i\n", tga->width, tga->height); - #endif - -- switch(tga->bits) { -- case 8: -- case 16: -- case 24: -- case 32: -- break; -- default: -- gd_error("bps %i not supported", tga->bits); -+ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0) -+ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8))) -+ { -+ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n", -+ tga->bits, tga->alphabits); - return -1; -- break; - } - - tga->ident = NULL; diff --git a/gd-CVE-2016-6905.patch b/gd-CVE-2016-6905.patch deleted file mode 100644 index 156178c..0000000 --- a/gd-CVE-2016-6905.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 3c2b605d72e8b080dace1d98a6e50b46c1d12186 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Tue, 12 Jul 2016 14:20:16 +0200 -Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga - ---- - src/gd_tga.c | 34 ++++++++++++++++++++++++++-------- - 1 file changed, 26 insertions(+), 8 deletions(-) - -Index: libgd-2.1.1/src/gd_tga.c -=================================================================== ---- libgd-2.1.1.orig/src/gd_tga.c 2015-01-06 10:16:03.000000000 +0100 -+++ libgd-2.1.1/src/gd_tga.c 2016-08-23 13:15:45.975724158 +0200 -@@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga * - int buffer_caret = 0; - int bitmap_caret = 0; - int i = 0; -- int j = 0; - uint8_t encoded_pixels; - - if(overflow2(tga->width, tga->height)) { -@@ -287,25 +286,34 @@ int read_image_tga( gdIOCtx *ctx, oTga * - while( bitmap_caret < image_block_size ) { - - if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) { -- encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 ); -+ encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 ); - buffer_caret++; - -+ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { -+ gdFree( decompression_buffer ); -+ gdFree( conversion_buffer ); -+ return -1; -+ } -+ - for (i = 0; i < encoded_pixels; i++) { -- for (j = 0; j < pixel_block_size; j++, bitmap_caret++) { -- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ]; -- } -+ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size); -+ bitmap_caret += pixel_block_size; - } - buffer_caret += pixel_block_size; -+ - } else { - encoded_pixels = decompression_buffer[ buffer_caret ] + 1; - buffer_caret++; - -- for (i = 0; i < encoded_pixels; i++) { -- for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) { -- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ]; -- } -- buffer_caret += pixel_block_size; -+ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { -+ gdFree( decompression_buffer ); -+ gdFree( conversion_buffer ); -+ return -1; - } -+ -+ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size); -+ bitmap_caret += (encoded_pixels * pixel_block_size); -+ buffer_caret += (encoded_pixels * pixel_block_size); - } - } - diff --git a/gd-disable-freetype27-failed-tests.patch b/gd-disable-freetype27-failed-tests.patch new file mode 100644 index 0000000..eed8546 --- /dev/null +++ b/gd-disable-freetype27-failed-tests.patch @@ -0,0 +1,47 @@ +Two tests: freetype/bug00132 and gdimagestringft fail with freetype >= 2.7 +for being too exact/strict, as acknowledged by upstream. Let us disable these +tests for now, as the impact is understood to be "slight". See discussion +in the issue tracker. +Issue: https://github.com/libgd/libgd/issues/302 + +Index: libgd-2.2.3/tests/CMakeLists.txt +=================================================================== +--- libgd-2.2.3.orig/tests/CMakeLists.txt ++++ libgd-2.2.3/tests/CMakeLists.txt +@@ -19,7 +19,6 @@ if (BUILD_TEST) + + SET(TESTS_DIRS + bmp +- freetype + gd + gd2 + gdimagearc +@@ -50,7 +49,6 @@ if (BUILD_TEST) + gdimagescale + gdimagescatterex + gdimagesetpixel +- gdimagestringft + gdimagestringftex + gdimagetruecolortopalette + gdinterpolatedscale +Index: libgd-2.2.3/tests/Makefile.am +=================================================================== +--- libgd-2.2.3.orig/tests/Makefile.am ++++ libgd-2.2.3/tests/Makefile.am +@@ -13,7 +13,6 @@ EXTRA_DIST = + TESTS = + + include bmp/Makemodule.am +-include freetype/Makemodule.am + include gd/Makemodule.am + include gd2/Makemodule.am + include gdimagearc/Makemodule.am +@@ -44,7 +43,6 @@ include gdimagerotate/Makemodule.am + include gdimagescale/Makemodule.am + include gdimagescatterex/Makemodule.am + include gdimagesetpixel/Makemodule.am +-include gdimagestringft/Makemodule.am + include gdimagestringftex/Makemodule.am + include gdimagetruecolortopalette/Makemodule.am + include gdinterpolatedscale/Makemodule.am + diff --git a/gd-libvpx.patch b/gd-libvpx.patch deleted file mode 100644 index b63a1de..0000000 --- a/gd-libvpx.patch +++ /dev/null @@ -1,24 +0,0 @@ ---- src/webpimg.c.orig 2015-01-06 10:16:03.000000000 +0100 -+++ src/webpimg.c 2015-05-12 15:02:50.784722900 +0200 -@@ -711,14 +711,14 @@ - codec_ctl(&enc, VP8E_SET_STATIC_THRESHOLD, 0); - codec_ctl(&enc, VP8E_SET_TOKEN_PARTITIONS, 2); - -- vpx_img_wrap(&img, IMG_FMT_I420, -+ vpx_img_wrap(&img, VPX_IMG_FMT_I420, - y_width, y_height, 16, (uint8*)(Y)); -- img.planes[PLANE_Y] = (uint8*)(Y); -- img.planes[PLANE_U] = (uint8*)(U); -- img.planes[PLANE_V] = (uint8*)(V); -- img.stride[PLANE_Y] = y_stride; -- img.stride[PLANE_U] = uv_stride; -- img.stride[PLANE_V] = uv_stride; -+ img.planes[VPX_PLANE_Y] = (uint8*)(Y); -+ img.planes[VPX_PLANE_U] = (uint8*)(U); -+ img.planes[VPX_PLANE_V] = (uint8*)(V); -+ img.stride[VPX_PLANE_Y] = y_stride; -+ img.stride[VPX_PLANE_U] = uv_stride; -+ img.stride[VPX_PLANE_V] = uv_stride; - - res = vpx_codec_encode(&enc, &img, 0, 1, 0, VPX_DL_BEST_QUALITY); - diff --git a/gd-test-unintialized-var.patch b/gd-test-unintialized-var.patch new file mode 100644 index 0000000..7feaeaf --- /dev/null +++ b/gd-test-unintialized-var.patch @@ -0,0 +1,13 @@ +Index: libgd-2.2.3/tests/gd2/gd2_read.c +=================================================================== +--- libgd-2.2.3.orig/tests/gd2/gd2_read.c ++++ libgd-2.2.3/tests/gd2/gd2_read.c +@@ -5,7 +5,7 @@ + + int main(int argc, char *argv[]) + { +- int error, i = 0; ++ int error = 0, i = 0; + gdImagePtr im, exp; + FILE *fp; + char *path[] = { diff --git a/gd.changes b/gd.changes index 349fcb3..c608594 100644 --- a/gd.changes +++ b/gd.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Fri Sep 30 14:59:25 UTC 2016 - badshah400@gmail.com + +- Update to version 2.2.3: + + Security fixes: + - Php bug#72339, Integer Overflow in _gd2GetHeader + (CVE-2016-5766) + - Issue gh/libgd/libgd#247: A read out-of-bands was found in + the parsing of TGA files (CVE-2016-6132) + - Issue gh/libgd/libgd#247: Buffer over-read issue when + parsing crafted TGA file (CVE-2016-6214) + - Issue gh/libgd/libgd#248: fix Out-Of-Bounds Read in + read_image_tga + - Integer overflow error within _gdContributionsAlloc() + (CVE-2016-6207) + - Fix php bug#72494, invalid color index not handled, can lead + to crash (CVE-2016-6128) + + Improve color check for CropThreshold + + gdImageCopyResampled has been improved. Better handling of + images with alpha channel, also brings libgd in sync with + php's bundled gd. +- Drop patches: + + gd-CVE-2016-5116.patch: upstreamed + + gd-CVE-2016-6132.patch: upstreamed + + gd-CVE-2016-6214.patch: upstreamed + + gd-CVE-2016-6905.patch: upstreamed + + gd-libvpx.patch: vpx support dropped. +- Add BuildRequires for automake and autoconf since + gd-disable-freetype27-failed-tests.patch touches makefiles. +- Drop getver.pl from source: included in upstream tarball. +- Add "-msse -mfpmath=sse" to CFLAGS to fix tests on ix86 + architectures. +- Add "-ffp-contract=off" to CFLAGS for non-ix86 arch (ppc, arm) + to fix a test: see gh#libgd/libgd#278. +- Add gd-test-unintialized-var.patch to fix an uninitialised + variable in tests/gd2/gd2_read.c to prevent it from compiling + with -Werror (only causes problems in no ix86 arch + surprisingly); patch sent upstream. +- Rebase gd-disable-freetype27-failed-tests.patch for updated + version. +- Update URL and Source to project's new github URL's. + +------------------------------------------------------------------- +Thu Sep 29 14:06:53 UTC 2016 - badshah400@gmail.com + +- Add gd-disable-freetype27-failed-tests.patch: Disable for now + tests failing against freetype >= 2.7 for being too exact + (gh#libgd/libgd#302). The failures have been understood by + upstream to be due to minor differences between test images and + those generated when freeetype >= 2.7 is used to build gd. + ------------------------------------------------------------------- Tue Aug 23 11:16:25 UTC 2016 - pgajdos@suse.com diff --git a/gd.spec b/gd.spec index 77151e9..d70a414 100644 --- a/gd.spec +++ b/gd.spec @@ -21,15 +21,14 @@ %define lname libgd3 Name: gd -Version: 2.1.1 +Version: 2.2.3 Release: 0 Summary: A Drawing Library for Programs That Use PNG and JPEG Output License: MIT Group: System/Libraries -Url: http://libgd.bitbucket.org/ -Source: https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}.tar.xz +Url: https://libgd.github.io/ +Source: https://github.com/libgd/libgd/releases/download/%{name}-%{version}/%{prjname}-%{version}.tar.xz Source1: baselibs.conf -Source2: getver.pl # to be upstreamed, gdlib-config --libs to return the same as pkg-config --libs gdlib Patch0: gd-config.patch # might be upstreamed, but could be suse specific also (/usr/share/fonts/Type1 font dir) @@ -38,19 +37,18 @@ Patch1: gd-fontpath.patch Patch2: gd-format.patch # could be upstreamed Patch3: gd-aliasing.patch -# could be upstreamed -Patch4: gd-libvpx.patch -Patch5: gd-CVE-2016-5116.patch -Patch6: gd-CVE-2016-6132.patch -Patch7: gd-CVE-2016-6214.patch -Patch8: gd-CVE-2016-6905.patch +# PATCH-FIX-UPSTREAM gd-disable-freetype27-failed-tests.patch gh#libgd/libgd#302 badshah400@gmail.com -- Disable for now tests failing against freetype >= 2.7 for being too exact. +Patch5: gd-disable-freetype27-failed-tests.patch +# PATCH-FIX-UPSTREAM gd-test-unintialized-var.patch badshah400@gmail.com -- Initialise a variable in tests/gd2/gd2_read.c to 0 to prevent it from failing to compile with -Werror (only causes problems in no ix86 arch surprisingly); patch sent upstream +Patch6: gd-test-unintialized-var.patch +BuildRequires: autoconf +BuildRequires: automake BuildRequires: fontconfig-devel BuildRequires: freetype2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel BuildRequires: libtiff-devel BuildRequires: libtool -BuildRequires: libvpx-devel BuildRequires: pkg-config BuildRequires: xorg-x11-libX11-devel BuildRequires: xorg-x11-libXau-devel @@ -99,18 +97,20 @@ the formats accepted for inline images by most browsers. %patch1 %patch2 %patch3 -%patch4 %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 %build -# this file is errorneously forgotten from the tarball -# remove in next release to 2.1.1 -cp %{SOURCE2} config/getver.pl -perl config/getver.pl autoreconf -fiv + +# ADDITIONAL CFLAGS ARE NEEDED TO FIX TEST FAILURES IN CASE OF i586, BUT HARMLESS TO APPLY GENERALLY FOR ALL ix86 +%ifarch %{ix86} +CFLAGS="$CFLAGS -msse -mfpmath=sse" +export CFLAGS +%else +CFLAGS="$CFLAGS -ffp-contract=off" +%endif + # without-x -- useless switch which just mangles cflags %configure \ --without-x \ @@ -121,6 +121,7 @@ autoreconf -fiv --with-xpm \ --disable-static \ --with-pic + make %{?_smp_mflags} %check @@ -128,6 +129,7 @@ make check %{?_smp_mflags} %install make DESTDIR=%{buildroot} install %{?_smp_mflags} + find %{buildroot} -type f -name "*.la" -delete -print %post -n %lname -p /sbin/ldconfig diff --git a/getver.pl b/getver.pl deleted file mode 100644 index b44b81e..0000000 --- a/getver.pl +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env perl - -# Simple script to extract the version number parts from src/gd.h. If -# called with the middle word of the version macro, it prints the -# value of that macro. If called with no argument, it outputs a -# human-readable version string. This must be run in the project -# root. It is used by configure.ac and docs/naturaldocs/run_docs.sh. - -use strict; - -my $key = shift; -my @version_parts = (); - -open FH, ") { - next unless m{version605b5d1778}; - next unless /^#define\s+GD_([A-Z0-9]+)_VERSION+\s+(\S+)/; - my ($lk, $lv) = ($1, $2); - if ($lk eq $key) { - chomp $lv; - $lv =~ s/"//g; - - print $lv; # no newline - exit(0); # success! - } - - push @version_parts, $lv if (!$key); -} - -close(FH); - -if (scalar @version_parts == 4) { - my $result = join(".", @version_parts[0..2]); - $result .= $version_parts[3]; - $result =~ s/"//g; - print $result; - exit(0); -} - -exit(1); # failure diff --git a/libgd-2.1.1.tar.xz b/libgd-2.1.1.tar.xz deleted file mode 100644 index cdd99a2..0000000 --- a/libgd-2.1.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9ada1ed45594abc998ebc942cef12b032fbad672e73efc22bc9ff54f5df2b285 -size 2039132 diff --git a/libgd-2.2.3.tar.xz b/libgd-2.2.3.tar.xz new file mode 100644 index 0000000..7e579dd --- /dev/null +++ b/libgd-2.2.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c +size 2164152